diff --git a/openstack_dashboard/api/ceilometer.py b/openstack_dashboard/api/ceilometer.py index 0530eb5fd9..cc90c49fb5 100644 --- a/openstack_dashboard/api/ceilometer.py +++ b/openstack_dashboard/api/ceilometer.py @@ -319,11 +319,13 @@ def ceilometerclient(request): endpoint = base.url_for(request, 'metering') insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) + cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None) LOG.debug('ceilometerclient connection created using token "%s" ' 'and endpoint "%s"' % (request.user.token.id, endpoint)) return ceilometer_client.Client('2', endpoint, token=(lambda: request.user.token.id), - insecure=insecure) + insecure=insecure, + ca_file=cacert) def resource_list(request, query=None, ceilometer_usage_object=None): diff --git a/openstack_dashboard/api/cinder.py b/openstack_dashboard/api/cinder.py index c8b32bd96d..6dc599d7bd 100644 --- a/openstack_dashboard/api/cinder.py +++ b/openstack_dashboard/api/cinder.py @@ -44,6 +44,7 @@ DEFAULT_QUOTA_NAME = 'default' def cinderclient(request): insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) + cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None) cinder_url = "" try: cinder_url = base.url_for(request, 'volume') @@ -57,6 +58,7 @@ def cinderclient(request): project_id=request.user.tenant_id, auth_url=cinder_url, insecure=insecure, + cacert=cacert, http_log_debug=settings.DEBUG) c.client.auth_token = request.user.token.id c.client.management_url = cinder_url diff --git a/openstack_dashboard/api/glance.py b/openstack_dashboard/api/glance.py index 1e18aeef6e..dc500fd429 100644 --- a/openstack_dashboard/api/glance.py +++ b/openstack_dashboard/api/glance.py @@ -39,10 +39,11 @@ def glanceclient(request): o = urlparse.urlparse(base.url_for(request, 'image')) url = "://".join((o.scheme, o.netloc)) insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) + cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None) LOG.debug('glanceclient connection created using token "%s" and url "%s"' % (request.user.token.id, url)) return glance_client.Client('1', url, token=request.user.token.id, - insecure=insecure) + insecure=insecure, cacert=cacert) def image_delete(request, image_id): diff --git a/openstack_dashboard/api/heat.py b/openstack_dashboard/api/heat.py index 2f2449c57a..16f5750336 100644 --- a/openstack_dashboard/api/heat.py +++ b/openstack_dashboard/api/heat.py @@ -32,12 +32,14 @@ def format_parameters(params): def heatclient(request, password=None): api_version = "1" insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) + cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None) endpoint = base.url_for(request, 'orchestration') LOG.debug('heatclient connection created using token "%s" and url "%s"' % (request.user.token.id, endpoint)) kwargs = { 'token': request.user.token.id, 'insecure': insecure, + 'ca_file': cacert, 'username': request.user.username, 'password': password #'timeout': args.timeout, diff --git a/openstack_dashboard/api/keystone.py b/openstack_dashboard/api/keystone.py index a8dac2caad..e0b9f048d2 100644 --- a/openstack_dashboard/api/keystone.py +++ b/openstack_dashboard/api/keystone.py @@ -163,12 +163,14 @@ def keystoneclient(request, admin=False): else: endpoint = _get_endpoint_url(request, endpoint_type) insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) + cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None) LOG.debug("Creating a new keystoneclient connection to %s." % endpoint) remote_addr = request.environ.get('REMOTE_ADDR', '') conn = api_version['client'].Client(token=user.token.id, endpoint=endpoint, original_ip=remote_addr, insecure=insecure, + cacert=cacert, auth_url=endpoint, debug=settings.DEBUG) setattr(request, cache_attr, conn) diff --git a/openstack_dashboard/api/neutron.py b/openstack_dashboard/api/neutron.py index 8d30783974..630fdaf80c 100644 --- a/openstack_dashboard/api/neutron.py +++ b/openstack_dashboard/api/neutron.py @@ -395,13 +395,14 @@ def get_ipver_str(ip_version): def neutronclient(request): insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) + cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None) LOG.debug('neutronclient connection created using token "%s" and url "%s"' % (request.user.token.id, base.url_for(request, 'network'))) LOG.debug('user_id=%(user)s, tenant_id=%(tenant)s' % {'user': request.user.id, 'tenant': request.user.tenant_id}) c = neutron_client.Client(token=request.user.token.id, endpoint_url=base.url_for(request, 'network'), - insecure=insecure) + insecure=insecure, ca_cert=cacert) return c diff --git a/openstack_dashboard/api/nova.py b/openstack_dashboard/api/nova.py index 95c3110ec6..79d2164bc3 100644 --- a/openstack_dashboard/api/nova.py +++ b/openstack_dashboard/api/nova.py @@ -343,6 +343,7 @@ class FloatingIpManager(network_base.FloatingIpManager): def novaclient(request): insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) + cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None) LOG.debug('novaclient connection created using token "%s" and url "%s"' % (request.user.token.id, base.url_for(request, 'compute'))) c = nova_client.Client(request.user.username, @@ -350,6 +351,7 @@ def novaclient(request): project_id=request.user.tenant_id, auth_url=base.url_for(request, 'compute'), insecure=insecure, + cacert=cacert, http_log_debug=settings.DEBUG) c.client.auth_token = request.user.token.id c.client.management_url = base.url_for(request, 'compute') diff --git a/openstack_dashboard/api/swift.py b/openstack_dashboard/api/swift.py index 200c7107e6..5a331829c0 100644 --- a/openstack_dashboard/api/swift.py +++ b/openstack_dashboard/api/swift.py @@ -92,6 +92,7 @@ def _objectify(items, container_name): def swift_api(request): endpoint = base.url_for(request, 'object-store') + cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None) LOG.debug('Swift connection created using token "%s" and url "%s"' % (request.user.token.id, endpoint)) return swiftclient.client.Connection(None, @@ -99,6 +100,7 @@ def swift_api(request): None, preauthtoken=request.user.token.id, preauthurl=endpoint, + cacert=cacert, auth_version="2.0") diff --git a/openstack_dashboard/local/local_settings.py.example b/openstack_dashboard/local/local_settings.py.example index 96325fee0b..147f036a6d 100644 --- a/openstack_dashboard/local/local_settings.py.example +++ b/openstack_dashboard/local/local_settings.py.example @@ -131,6 +131,9 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "Member" # Disable SSL certificate checks (useful for self-signed certificates): # OPENSTACK_SSL_NO_VERIFY = True +# The CA certificate to use to verify SSL connections +# OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' + # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the # capabilities of the auth backend for Keystone. # If Keystone has been configured to use LDAP as the auth backend then set diff --git a/openstack_dashboard/test/helpers.py b/openstack_dashboard/test/helpers.py index 6f7f21e11e..0f86317bc9 100644 --- a/openstack_dashboard/test/helpers.py +++ b/openstack_dashboard/test/helpers.py @@ -334,6 +334,7 @@ class APITestCase(TestCase): None, preauthtoken=mox.IgnoreArg(), preauthurl=mox.IgnoreArg(), + cacert=None, auth_version="2.0") \ .AndReturn(self.swiftclient) expected_calls -= 1